WTF is GDPR?

https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.

161 Comments

  1. Tomi Engdahl says:

    Microsoft menaced with GDPR mega-fines in Europe for ‘large scale and covert’ gathering of people’s info via Office
    Telemetry data slurp broke the law, Dutch govt eggheads say
    https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/

    Microsoft broke Euro privacy rules by carrying out the “large scale and covert” gathering of private data through its Office apps.

    That’s according to a report out this month [PDF] that was commissioned by the Dutch government into how information handled by 300,000 of its workers was processed by Microsoft’s Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.

    The dossier’s authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. That’s a no-no.

    Those actions break Europe’s new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines.

    https://regmedia.co.uk/2018/11/16/microsoft-office-gdpr-fail.pdf

    Reply
  2. Tomi Engdahl says:

    Domain name ‘admin’ role eyed up as latest victim of Whois system’s GDPRmeggdon
    https://www.theregister.co.uk/2018/11/27/gdpr_icann_whois/

    Plus anonymous email and all personal info to be redacted

    Reply
  3. Tomi Engdahl says:

    Domain name ‘admin’ role eyed up as latest victim of Whois system’s GDPRmeggdon
    Plus anonymous email and all personal info to be redacted
    https://www.theregister.co.uk/2018/11/27/gdpr_icann_whois/

    Reply
  4. Tomi Engdahl says:

    German chat site faces fine under GDPR after data breach
    https://www.welivesecurity.com/2018/11/27/german-chat-site-faces-fine-gdpr/

    The country’s first fine under GDPR is lower than might have been expected, however, as the company was acknowledged for its post-incident cooperation and enhanced security measures

    Reply
  5. Tomi Engdahl says:

    How much are the first fines for GDPR infringement?
    https://www.pandasecurity.com/mediacenter/news/first-sanctions-gdpr-infractions/

    2018 has been the year par excellence for data protection, when data leaks, exfiltrations, and abuses have made headlines all over the world. And against this backdrop of increased awareness about the challenges that working with sensitive data can entail, there is one regulation that has come to the fore: the GDPR (General Data Protection Regulation), which has been mandatory since May 25 this year.

    Infringement of this regulation can incur fines of up to 4% of a company’s annual global turnover, or up to €20 million. It is therefore perhaps unsurprising that companies are now examining their data with a fine tooth comb in order to stay on the right side of the legislation. However, in spite of this exigency, to date, only 29% of organizations have implemented all measures necessary to comply with the GDPR.

    Sanctions start to appear

    2019 will bring new figures

    The economic sanctions that we have seen so far are clearly relatively conservative compared to the highest possible penalties, but with the recent spate of high profile data leaks – Marriott, British Airways, Quora – it won’t be long before harsher fines start to appear.

    What can you do to avoid a fine – be it millions of Euros or more moderate? The most important thing to bear in mind is that prevention is better than a cure, and by having appropriate protection for the personal data that your company manages, you can avoid sanctions. Start by knowing exactly where this data is stored and who has access to it. To do so, it is vital to have advanced cybersecurity solutions.

    Reply
  6. Tomi Engdahl says:

    This early GDPR adtech strike puts the spotlight on consent
    Choice isn’t optional.
    https://techcrunch.com/2018/12/13/this-early-gdpr-adtech-strike-puts-the-spotlight-on-consent/?utm_source=tcfbpage&sr_share=facebook

    What oes consent as a valid legal basis for processing personal data look like under Europe’s updated privacy rules? It may sound like an abstract concern but for online services that rely on things being done with user data in order to monetize free-to-access content this is a key question now the region’s General Data Protection Regulation is firmly fixed in place.

    The GDPR is actually clear about consent.

    Confusing and/or incomplete consent flows aren’t yet extinct, sadly. But it’s fair to say those that don’t offer full opt-in choice are on borrowed time.

    Because if your service or app relies on obtaining consent to process EU users’ personal data — as many free at the point-of-use, ad-supported apps do — then the GDPR states consent must be freely given, specific, informed and unambiguous.

    Reply
  7. Tomi Engdahl says:

    Gdpr voi vaatia uuden tietojärjestelmän
    https://www.tivi.fi/Kaikki_uutiset/gdpr-voi-vaatia-uuden-tietojarjestelman-6753692

    Yritykset näkivät valtavasti vaivaa, mutta kuluttajalle muutos näkyi lähinnä päivitettyinä käyttöehtoina. Luetaanko niitä nyt huolellisemmin?

    ”Kukaan ei ikinä lue”, Nurmi vastaa.

    Esimerkkinä hyvin toteutetusta nyky­aikaisesta sivusta hän pitää BBC:n kirjautumissivua, jossa käyttäjältä kysytään yksi tieto kerrallaan ja tehdään selväksi, mihin tarkoitukseen mitäkin tietoa käytetään.

    ”Yksilöidyn lisätiedon aika on sitten, kun käyttäjä on aktiivisesti vieraillut sivustolla jo jonkin aikaa.”

    Reply
  8. Tomi Engdahl says:

    Data Protection Laws Will Change How Electronics Systems are Designed
    https://www.eeweb.com/profile/loucovey/articles/data-protection-laws-will-change-how-electronics-systems-are-designed

    The advent of 5G cellular service is upon us (see “The 5G Future Begins Now!”). This is great news for the chip and electronic system industries and — possibly — outstanding news for the digital security industry.

    I pointed out that weaknesses in data security exist in the technologies that are purchased by media and retail companies. Even if those companies do everything in their power to protect customer data, a hacker can access that data through the equipment anyway. I asked how long he thought it would be before the EU went after the equipment providers for data breaches or if their customers would seek financial relief from them if they were fined. His face went white for a few seconds and then red. “I think this interview is over,” he said, and then he walked away.

    Here’s the revelation that he had: In the EU, the fine for violating the GDPR is €20 million, or 4% of a company’s annual global revenue, whichever is greater. Read that again just to let it sink in. Let’s say that Apple had a breach in their devices that was exploited by a group of hackers working for the Chinese government, giving access to the data of a couple of thousand customers in Europe. The fine for that is more than €2 billion.

    Could that happen? Well, before the GDPR went into effect, researchers discovered the Meltdown/Spectre hole in every commercial processor on the market, including all Apple products. As I wrote several times last year (see my “The Illusion of Security” columns), the hole was quickly patched at a significant cost to device performance.

    Apple and the rest of the device world is safe from the GDPR at the moment. This is because no one is thinking about applying it to devices and also because the EU regulation is an “opt-in” service. Users have to choose to have the protection, and the patch protects the device world from liability. he patches, however, can be turned off voluntarily, which constitutes a decision to opt out of the protection. This will protect them with the CCPA in 2020 because that law is opt-out, and turning off the patches could constitute a decision to opt out.

    The problem comes in when tech support doesn’t tell users that bypassing the patch to regain performance will eliminate their protection. Guess what? They don’t. That will have to change because when the CCPA goes into effect, the financial penalties could kill a company.

    The handwriting is on the wall about what data breaches will cost in the next decade, and it’s time for the hardware industry to get very serious about dealing with this issue.

    Reply
  9. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    Max Schrems files GDPR complaints against Amazon, Apple, Netflix, Spotify, YouTube, others for failing to provide required info about data they collect on users — European privacy campaigner Max Schrems has filed a fresh batch of strategic complaints at tech giants, including Amazon, Apple, Netflix, Spotify and YouTube.

    Privacy campaigner Schrems slaps Amazon, Apple, Netflix, others with GDPR data access complaints
    Natasha Lomas
    https://techcrunch.com/2019/01/18/privacy-campaigner-schrems-slaps-amazon-apple-netflix-others-with-gdpr-data-access-complaints/

    European privacy campaigner Max Schrems has filed a fresh batch of strategic complaints at tech giants, including Amazon, Apple, Netflix, Spotify and YouTube.

    The complaints, filed via his nonprofit privacy and digital rights organization, noyb, relate to how the services respond to data access requests, per regional data protection rules.

    Article 15 of Europe’s General Data Protection Regulation (GDPR) provides for a right of access by the data subject to information held on them.

    The complaints contend tech firms are structurally violating this right — having built automated systems to respond to data access requests which, after being tested by noyb, failed to provide the user with all the relevant information to which they are legally entitled.

    Indeed, noyb tested eight companies in all, in eight different countries in Europe, and says it found none of the services provided a satisfactory response.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*